In part 1 we looked at how security questions are generally insecure for a number of reasons and highlighted some of the key challenges that are faced to improve security. The next step is to look specifically at suggestions for adapting to what are clearly a number of broken business processes and inadequate IT solutions. We start with what happens when someone calls you, and asks to take you through security questions – ‘What?! You called me!’
If someone calls you and tells you they need to take you through security questions, do not comply. Simply put, if they are calling you, you should be the one confirming that they are who they say they are. This makes sense and there are a number of approaches.
- Tell the caller that you will call them back. Always use a telephone number that has been previously provided to you in official correspondence or use a publicly available number which you are confident is the correct number for the company allegedly calling you.
- The caller may attempt to give you a telephone number to call. Never use this number. If the call is fraudulent then the number given will also be fraudulent.
- After the call, always make a call to a known number such as a family member or a friend. This is to ensure that the previous call was definitely disconnected. With some telephone systems, the call can remain connected after hanging up. Picking up the phone and dialling a genuine number can result in a continuation of the previous call.
- If you receive a text message asking you to call your bank or another company about an urgent matter, never use the telephone number provided in the text.
- Even if the Caller ID shows up as a genuine number, that you recognise, it is worth following the same process as Caller IDs can be faked.
There is an assumption that an organisation calling you has exclusivity over making sure they are speaking to the right person. You can test this yourself next time you receive a call by trying to take them through security. When they call you, ask them to confirm the 2nd and 5th digit of your customer number which you were issued with or some other obscure question which the caller would have access to if they were genuine. The point here is not to get them to comply, but to demonstrate that they will not comply. They will however try and insist that you comply.
This is a failing in the way the business processes are set up, and it is so embedded in people’s thinking that this is the way the process works, that fraudsters can step in and mimic the process to obtain access to sensitive information. In recent years we have seen notifications from financial institutions stating, ‘We will never ask you for your PIN number’. The next step on this matter would be for corporations to say ‘We will never call you and ask you security questions’.
In part 3 we will look more at security questions and how the entire security model around the use of security questions has a limited shelf life.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.